Bug 1276255

Summary: golang-1.5 breaks tls handshake certificate chain verification
Product: [Fedora] Fedora Reporter: Jan Chaloupka <jchaloup>
Component: golangAssignee: Vincent Batts <vbatts>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 23CC: admiller, golang-updates, jcajka, lemenkov, renich, s, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-29 14:53:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1274854    

Description Jan Chaloupka 2015-10-29 09:22:05 UTC 
Description of problem:
When building kubernetes with go-1.5, 'kubectl exec --v=9 mock /bin/sh -i' ends with "tls: handshake did not verify certificate chain". This does not happen with go-1.4,

Version-Release number of selected component (if applicable):
golang-1.5.1-1.fc23

How reproducible:
always

Steps to Reproduce:
See bz#1274854
Comment 1 Jan Chaloupka 2015-10-29 09:40:33 UTC 
Based on https://github.com/golang/go/issues/12024, it should be fixed.

This PR [1] introduces the issue. This PR [2] is supposed to fix it. Does not appear so. Maybe it is a question of correct configuration.

[1] https://github.com/golang/go/commit/3cf15b57f76400b22366ccd8ef5b211c72ab6a7f
[2] https://github.com/golang/go/commit/46a29138827cefb15e437f291cbb2ccda685b840
Comment 2 Jan Chaloupka 2015-10-29 14:53:10 UTC 
Confirming it is fixed in golang. Kubernetes upstream has refactored and patched the code for TLS connection in 1.2. Backporting the patch to 1.0.6 solves the issue.